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VERIFICATION  OF  SEVERAL  PARALLEL  COORDINATION  PROGRAMS 
BASED  ON  DESCRIPTIONS  OF  THEIR  REACHABILITY  SETS 


by 

B  .D .Lubachevsky 


Abstract  -  A  method  for  verifying  parallel  programs  is  applied  to 
several  examples  (PV-semaphore,  "busy-wait"  synchronization,  "cessation 
of  activity"  synchronization,  "readers-writers").  The  graph  of  all 
program  states  and  state  transitions  is  represented  in  a  special 
compact  form  independent  of  the  number  N  of  processing  elements.  This 
representation  aids  in  verifying  certain  correctness  properties  that 
can  not  be  easily  expressed  in  the  form  "predicate(state)" .  In  each  of 
the  above  mentioned  examples  a  special  "reachability  tree"  is  developed 
whose  nodes  are  some  subsets  of  the  set  of  all  reachable  states.  The 
root  is  the  initial  state  and  moving  down  the  tree  corresponds  to  some 
processors  advancing  their  execution.  In  the  presented  examples  the 
size  of  this  tree  is  independent  of  N.  The  notion  of  compact  program  is 
introduced:  roughly  speaking  a  parallel  program  is  compact  if  there 
exists  a  boundary,  independent  of  N,  on  time  required  to  reach  any 
state.  Examples  of  non-compact  programs  are  represented. 

Index  Terms  -  correctness  proof,  program  verification,  concurrent 
processes,  synchronization,  semaphore,  liveness  property,  mutual 
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1.   Introduction. 

This  paper  considers  verification  problems  typified  by  following 
(incorrect)  implementation  of  Dijkstra's  PV-semaphore. 

COMMENT  P-section 

PI:   p  <-  REPADD(sem,-l) 

if  (p  >   0)  then  go  to  P3 

P2:   REPADD  (sem.l) 
go  to  PI 

COMMENT  critical  section,  protected  by  sem 

P3:   {...} 

COMMENT  V-section 

REPADD  (sem,l) 
go  to  PI 

This  code  is  supposed  to  be  executed  by  all  the  processing  elements 
(PEs)  of  a  parallel  computer.  In  this  code,  sem  is  a  public  variable 
accessible  by  each  PE;  initially  sem  =  1 ;  p  is  a  private  variable,  i.e. 
each  PE  maintains  its  own  copy  of  p;  all  PEs  begin  at  PI;  expression 
REPADD( sem, constant)  is  used  for  the  function-with-side-ef f ect  that 
replaces  sem  by  (sem  +  constant)  and  returns  the  new  value  of  sem.  The 
REPADD  operation  is  indivisible  in  the  sense  that  the  result  of 
concurently  executed  REPADD  operations  is  the  same  as  if  the  operations 
were  executed  in  some  unspecified  serial  order  (see  [5]). 

It  was  shown  in  [A]  (see  also  [5])  that  after  the  first  execution 
of  the  critical  section  P3,  the  following  unacceptable  race  condition 
can  occur:  All  the  PEs  are  infinitely  executing  the  loop  between  the 
statements  PI  and  P2,  and  sem  <  0,  which  prevents  any  PE  from  entering 
the  critical  section.  Note  that  such  "parallel  bugs"  are  particulary 
hard  to  discover  so  a  mechanical  method  for  exposing  them  would  be  very 
helpful.  Consider  the  following  table  that  lists  all  states  reachable 
when  a  2-processor  parallel  computer  executes  the  above  program.  In 
this  table  we  characterize  states  by  giving  the  values  of  sem  and  the 
number  of  PEs  beginning  execution  of  each  statement  PI,  P2,  P3.   (We  do 
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not  consider  states  in  which  a  PE  has  executed  part,  but  not  all,  of  a 
statement).  For  each  state  we  also  indicate  the  states  resulting  from 
a  PE  completing  execution  of  its  current  statement  and  moving  to 
another. 

s^  (initial  state)  [PI:  2  PEs,  P2:  no  PEs,  P3:  no  PEs;  sem  =  1] 
move  of  1  PE  from  PI  to  P3  leads  to  So 

52  [PI:  1  PE,  P2:  no  PEs,  P3:  1  PE;  sem  =  0] 

move  of  1  PE  from  Pi  to  P2  leads  to  So 
move  of  1  PE  from  P3  to  PI  leads  to  s, 

53  [PI:  no  PEs,  P2:  1  PE,  P3:  1  PE;  sem  =  -1] 

move  of  1  PE  from  P2  to  PI  leads  to  S2 
move  of  1  PE  from  P3  to  PI  leads  to  s, 

s^    [PI:  1  PE,  P2:  1  PE,  P3:  no  PEs;  sem  =  0] 
move  of  1  PE  from  PI  to  P2  leads  to  Sc 
move  of  1  PE  from  P2  to  PI  leads  to  Si 

S5  [PI:  no  PEs,  P2:  2  PEs,  P3:  no  PEs;  sem  =  -1] 
move  of  1  PE  from  P2  to  PI  leads  to  s^ 

Table  1.1 


This  type  of  table  can  be  produced  mechanically.  In  fact,  a  formal 
procedure  exists  and  has  been  programmed  by  the  author  that  can  analyse 
programs  like  the  one  given  above  for  any  fixed  number  of  PEs.  We  do 
not  present  a  detailed  description  of  this  procedure  in  the  present 
paper  and  only  briefly  outline  it  here.  This  procedure,  first,  creates 
the  table  of  all  reachable  states  (like  table  1.1  above).  Then  the 
procedure  analyses  the  directed  graph  representing  all  reachable  states 
of  the  program  and  all  possible  transitions.  For  our  example  the  nodes 
of  the  graph  are  s-^,  S2,  S3,  s^,  S5,  and  the  arcs  are  (s-^,S2),  (s2,S3), 
(S2,S]^),  (S3,S2),  (S3,S4),  (s4,S5),  isi^,s^),  (s5,s^).  Each  of  the  arcs 
corresponds  to  one  move  listed  in  the  above  table.  The  race  condition 
mentioned  above  appear  as  a  strongly  connected  component  s^->Sc->s^  of 
the  subgraph  generated  by  the  predicate  "there  are  no  PEs  at  P3"  in 
this  graph.  We  will  see  that  the  well-known  "finite  delay  property" 
(discussed  below)  also  must  be  satisfied  by  the  strongly  connected 
component  in  order  to  generate  a  race  condition. 
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We  now  show  that  the  veri f icational  approach  started  by  Floyd  for 
sequential  programs  and  extended  ([2],  [7])  to  concurrent  programs 
would  not  expose  the  described  above  race  condition.  We  can  rewrite 
our  REPADDs  as  "WITH-WHEN"^  cf  [7]: 

p  <-  REPADD  (sem,  const) 

is  the  same  as 

WITH  sem  WHEN  true  DO  {sem  <-  sem  +  const;  p  <-  sem} 

Here  p  is  a  private  variable,  sem  is  a  public  variable  and  const  is  a 
constant,  the  notation  "WITH  sem"  represents  the  indivisibility  of 
resource  sem.  The  incorrect  semaphore  implementation  given  above  is 
"deadlock-free"  according  to  [7]  because  all  processes  inside  WITH-WHEN 
sections  can  not  be  "blocked".  (Blocking  occures  if  there  exists  a 
reachable  state  with  all  WHEN  conditions  false.  But  in  our  example  all 
these  conditions  are  identically  true). 

The  semaphore  program  is  "improved"  in  [5].  But  is  the  new 
program  (given  in  section  3)  correct?  We  have  applied  our  verification 
procedure  for  parallel  computers  with  various  numbers  of  PEs  and  no  bug 
was  found.  (The  time  and  memory  requirements  increase  rapidly  with  the 
number  of  PEs.) 

Can  one  develop  for  an  arbitrary  number  of  PEs  a  compact 
representation  of  table  1.1  containing  all  information  about  the 
program  behavior?  An  example  of  such  a  representation  has  been  given  by 
Dijkstra  [4],  While  analysing  a  "producer-consumer"  program  Dijkstra 
introduces  a  set  S  of  states  of  the  program  and  analyses  all  possible 
state  transitions.  He  shows  that  all  transitions  from  a  state  in  S 
yield  a  state  in  S.  This  analysis  then  is  applied  to  verify  a  property 
of  the  form  "predicate(state)" . 


^In  [3]  a  similar  approach  was  applied  to  analyse  a   parallel   program, 
however  the  reachability  set  was  developed  only  for  2  PEs. 
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But  this  approach  is  not  detailed  in  [4].  It  was  not  shown  that 
all  states  in  S  are  reachable,  and  no  procedure  was  given  to  generate 
S.   Also   the   possibility  of   using,  this  method  to  investigate  race 

condition  was  not  mentioned,   although  the   race   condition  described 

2 
above  was  exposed  in  the  very  same  paper. 

The  present  paper  analyses  several  programs  in  which  all  execution 
states  are  represented  in  a  special  compact  form  for  an_  arbitrary 
number  of  PEs .  This  technique  aids  in  verifying  some  correctness 
properties  of  such  programs,  especially,  those  properties  that  can  not 
be  easily  expressed  in  the  form  "predicate  (state)",  e.g.  the  absence 
of  a  race  condition. ^ 


^The  author  finds  [4]  to  be  a  very  stimulating  work.  However  based  on 
the  existance  of  the  race  condition  in  the  semaphore  program  the 
primitive  REPADD  was  rejected  as  not  appropriate  for  solving  the  mutual 
exclusion  problem.  In  fact,  this  and  many  other  problems  can  be  solved 
using  REPADD  (see  [5]). 

^A  few  recent  works  such  as  [8]  study  the  liveness  property  of  parallel 
programs.  The  absence  of  a  race  condition  in  the  semaphore  example 
above  would  be  such  a  property.  However,  unlike  the  present  work  [8] 
assumes  implicitly  that  the  number  of  processes  is  fixed,  and  only 
presents  program  examples  of  this  kind.  The  author  believes  that  this 
assumption  greatly  simplifies  the  analysis  needed  and  as  mentioned 
above,  permits  automatic  verification. 
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2.   Some  definitions. 

We  wish  to  define  a  parallel  program  schema  that  will  be  called  an 
abstract  program.  An  abstract  program  represents  a  class  of  concrete 
parallel  programs  and  is  defined  by  the  following: 

-  a  directed  graph  G  (which  represents  the  "body"  of  the  concrete 
programs).   The  vertices   of   the   graph  are   called  positions .   Let 

{Pi;i=l , . . . ,k  }  be  the  set  of  positions  of  G;  G  has  two  kinds  of  the 
positions:  interior  and  exterior  described  below.  As  usual  we  say  that 
Pj  follows  Pi,  if  G  has  an  arc  (Pi,Pj); 

-  a  set  C  of  counters,  such  that  to  each  interior  position  P  there 
is  associated  a  counter  c=c(P).  Note  that  one  counter  can  be 
associated  with  several  positions.  C  corresponds  to  the  public 
variables  in  the  concrete  program.  Since  the  programs  considered  below 
have  no  private  variables,  C  coincides  with  the  set  of  all  program 
variables'*; 

-  a  set  F  =  {f^}  of  replacing  functions,  f ^ :Range(c(Pi) )  -> 
Range(c(Pi) ) .   Each  interior  position  has  a  unique  replacing  function; 

-  a  set  D  =  {d^  }  of  directing  functions;  d^  assigns  to  each  value 
of  c(Pi)  a  position  that  follows  Pi.  Each  interior  position  has  its 
own  directing  function.  If  no  position  follows  Pi  then  d.(c(Pi))  is 
the  empty  set. 

The  distinction  between  interior  and  exterior  positions  is  that 
the  former  usually  represent  the  control  flow  of  a  concrete  program 
represented   by   the  abstract  program;  whereas  the  latter  represent  the 


"^If  there  are  private  variables   in   the   program,   which  can  not  be 

considered  as  counters,  one  can  apply  a  "replicating  code"  technique  to 

get  rid  of  them.   We  give  an  example  of  how  this   technique  works  in 

section  A.    A  more  detailed  explanation  of  this  technique  as  well  as 

some  other  general  issues  concerning  the  verification  problem  are  to 
follow  in  a  future  paper. 
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control  flow  of  other  "exterior"  concrete  programs.  In  the  examples 
below  this  point  will  become  clearer. 

In  the  following  "program"  will  inean  an  abstract  program  unless 
otherwise  specified.  .   . 

The  execution  state  or  simply  the  state  of  a  program  is  the  vector 

state  =  (n-^ nj^;cp  . . .  ,Cj.) , 

where  n.  is  the  current  number  of  processing  elements  (PEs)  at  position 
Pi,  i=l,...,k;  N  =  n2^+...+Tij^  is  the  total  number  of  PEs;  c^  is  as 
above;  and  r  is  the  number  of  distinct  counters. 

We  assign  meaning  to  the  givfen  program  (G,C,F,D)  with  a  given 
initial  state  Sq  (and  thus  a  given  N)  by  defining  a  set  of  possible 
execution  histories  (or  simply  histories) .  Such  a  history  is  a 
sequence  of  states  Sq,Sj^,...  as  specified  by  the  following 
(nondeterministic)  procedure. 

step  <-  0;  CurrentState  <-  Sq 
REPEAT 

if  possible,  choose  a  position  Pi  such  that 

n^  is  positive  and  some  position  follows  Pi; 
IF  such  a  Pi  does  not  exist 
THEN  Finished  <-  TRUE 
ELSE 

BEGIN 

IF  Pi  is  interior 
THEN 

BEGIN 

replace  the  value  of  the  associated 

counter    c(Pi)  <-  f^  (c(Pi)); 
define  the  new  position  Pj  <-  d^(c(Pi)) 
END 
ELSE  (Pi  is  exterior)  choose  a  position  Pj 

following  Pi; 
move  one  PE  from  Pi  to  Pj,  namely 
n^  <-  nj^  -  1,    n.  <-  n.  +  1 
COMMENT  if  i=j,  then  n^  does  not  change. 
END 
step  <-  step  +  1;  s  j^   <-  CurrentState 
UNTIL  Finished  =  TRUE    ^ 
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Note  that  histories  may  be  of  infinite  length.  In  the  examples 
considered  below  each  position  has  at  least  one  successor;  in  such 
cases  all  histories  are  of  infinite  length. 

Starting  with  a  given  initial  state  Sg  one  can  generate  the  set  R 
=  R(sq)  of  all  reachable  states  by  developing  all  possible  histories. 
The  reachability  directed  graph  A=A(sq)  is  defined  as  follows:  the  node 
set  of  A  is  R  and  the  arcs  are  the  possible  transitions ,  i.e.  all 
pairs  (s.,s.^.i)  determined  by  the  procedure  given  above. 

Now  we  wish  to  present  our  abstract  program  in  a  form  closer  to 
the  usual  representation  of  a  concrete  program.  We  will  use  the 
expression  Replace-f(c)  for  the  function-with-side-ef f ect  that  replaces 
c  by  f(c)  and  returns  the  new  value  of  c.  In  this  new  representation, 
the  program  will  be  written  as  an  unordered  set  of  statements  each  of 
which  corresponds  to  a  position  of  G.  There  are  two  kinds  of 
statements:  For  each  interior  position  Pi  the  corresponding  statement 
is 

(I)     Pi:  go  to  d^(Replace-f^(c(Pi))) 

For  each  exterior  position  Pi  the  corresponding  statement  is 

(E)     Pi:  go  to  Pj^  or  PJ2  or. ..or  Pj^^^ 

where  Pj]^,...,Pj^  follow  Pi.  The  expression  "go  to  empty",  that  occurs 
when  no  position  follows  Pi,  should  be  understood  as  the  empty 
statement  "do  nothing". 

In  the  example  programs  to  follow  the  statement  order  will  be 
significant  because  we  adopt  the  usual  convention  that  if  no  "go  to" 
appears  in  the  statement  corresponding  to  Pi,  a  "go  to  the  statement 
corresponding  to  P(i+1)"  is  assumed.  The  following  statement  forms 
(all  are  special  cases  of  (I)  and  (E))  will  be  used  in  the  examples. 
(The  expression  REPADD( counter , constant )  means  Replace-f (counter)  with 
f(x)  =  x  +  constant.) 
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(11)  Pi:  counter  <-  constant 

(12)  Pi:  counter  <-  constant 

go  to  Pj 

(13)  Pi:  if  predicate(counter)  then  go  to  Pj 

(14)  Pi:  if  predicate(counter)  then  go  to  Pj, 

go  to  PJ2 

(15)  Pi:  REPADD( counter, constant) 

(16)  Pi:  REPADD( counter, constant) 

go  to  Pj 

(17)  Pi:  if  (predicate(REPADD(counter,constant)))  then  go  to  Pj 

(18)  Pi:  if  (predicate(REPADD(counter,constant)))  then  go  to  Pj, 

go  to  PJ2 

(El)   Pi:  go  to  Pj 

(E2)   Pi:  go  to  Pj^  or  PJ2 


In  subsequent  examples  when  refering  to  a  program  we  will  mean  a 
family  of  programs  parameterized  by  N.  Replacing  functions,  directing 
functions  and  the  initial  state  (but  not  the  graph  G)  may  depend  on  N. 
In  statements  (I)  and  (E)  we  allow  predicates  and  constants  to  depend 
on  N. 


3.   Semaphore. 


The  semaphore  program  of  [5]  can  be  represented  by  the  following 
code,  where  we  use  star  (*)  to  represent  the  current  position,  and 
{...}  to  represent  a  basic  block  (i.e.  single  entry  single  exit)  that 
does  not  access  the   counters.   The   initial   state   Sq   in   this   and 

subsequent   examples  is  (N,0, . . . ,0;ci c  ),  i.e.   all  N  PEs  begin  at 

PI.   In  this  example  there  is  only  one   counter,   sem,   which  has   the 
initial  value  1 . 
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Pl:   {...} 

COMMENT  P-section 

P2:   if  (sem  <  0)  then  go  to  * 

P3:   if  (REPADD  (sem,-l)  >  0)  then  go  to  P5 

P4:   REPADD  (sem.l) 
go  to  P2 

COMMENT  critical  section,  protected  by  sem 

P5:   {...} 

COMMENT  V-section 

P6:   REPADD  (sem.l) 
go  to  PI 

As  in  [5]  the  following  two  assertions  are  to  be  verified  about 
this  program: 

(Al)  No  more  than  1  PE  can  be  in  the  critical  section  at  any  one 
time. 

(A2)  For  any  time  t  such  that  no  PEs  are  in  the  critical  section 
at  time  t,  there  exists  a  time  t'>t  such  that  some  PE  is  in  the 
critical  section  at  time  t'. 

While  analysing  this  (relatively  simple)  program  we  will  introduce 
several  techniques  and  notions  used  in  subsequent  examples. 

First,  we  are  to  represent  the  concrete  program  as  an  abstract 
program  of  section  2.  The  critical  section  "P5:  {...}"  and  the  other 
section  denoted  (•••}  do  not  effect  the  analysis.  Thus  we  can  consider 
the  following  abbreviated  abstract  program. 
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Pl:   if  (sem  <  0)  then  go  to  * 

P2:   if  (REPADD  (sem,-l)  >  0)  then  go  to  P4 

P3:   REPADD  (sem,l) 
go  to  PI 

P4:   REPADD  (sem,l) 
go  to  PI 

Note   that   statements  PI,  P2,  P3,  P4  in  this  code  are  of  the  form 
(13),  (17),  (16),  and  (16),  respectively. 


We  next  show  that  R(sq)  3  SI  U...U  S5,  where  Si,   i=l,...,5  are 
the  following  sets  (all  n^   are  supposed  to  be  nonnegative  integers): 


51  = 

52  = 

53  = 

54  = 

55  = 


q}  =  {s  ;  n^  =  N,  sem  =  1  } 
s  ;  n,  +  no  =  N,  sem  =  1  } 

n,  +  n2  =  N-1 ,  n^  =  1 ,  sem  =  0; 

^1  "*"  ^2  "^  "3  ~  ^~^  >  ^4  ~  1  >  sem  =  -no  } 

ni  +  no  +  no  =  N,  ni  >  1 ,  no  >  1,  sem  =  1  -  no} 


Clearly,  R  3  SI. 

Consider  the  only  state  Sq  =  {n,0,0,0; l}  in  SI,  i.e.  the  state  in 
which  all  PEs  are  at  PI  and  the  public  variable  sem  =  1.  Looking  at 
the  code  we  see  that  in  state  Sq  from  1  to  N  PEs  can  move  from  PI  to 
P2;  such  moves  generate  the  set 

S2'  =  js  ;  nj^  +  n2  =  N,  n2  >  1,  sem  =  l} 

Note  that  S2  =  S2'  U  SI  and  therefore  all  states  in  S2  are  reachable, 
i.e.  rJ3  S2. 


Consider  those  states  s  in  S2  from  which  PEs  can  move  along  the 
arc  P2  ->  P4,  i.e.  those  states  satisfying  the  condition  n2  >  1 •  Note 
that   in  these  states  at  least  one  PE  is  at  P2  and  sem  =  1.  Looking  at 
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the  code  we  see  that  at  most  1  PE  can  move  from  P2  to  P4;  such  moves 
generate  S3  and  therefore  all  states  in  S3  are  reachable,  i.e.  R  3 
S3. 

Consider  those  states  s  in  S3  from  which  PEs  can  move  along  the 
arc  P2  ->  P3,  i.e.  those  states  satisfying  the  condition  n2  >  1 .  Note 
that  in  these  states  at  least  one  PE  is  at  P2  and  sem  <  0.  Looking  at 
the  code  we  see  that  from  1  to  n2  PEs  can  move  from  P2  to  P3;  such 
moves  generate  the  set 

54'  =  {s  ;  ni  +  no  +  n^  =  N-1 ,  n /  =  1 ,  no  >  1 ,  sem  =  -no} 

Note  that  S4  =  S4'  U  S3  and  therefore  all  states  in  S4  are  reachable, 
i.e.   R  D  S4. 

Consider  those  states  s  in  S4  that  have  at  least  1  PE  at  P3,  i.e. 
those  states  satisfying  the  condition  n-,  >  1 .  Looking  at  the  code  we 
see  that  1  PE  can  move  from  P4  to  PI;  such  moves  generate  the  set  85 
and  therefore  all  states  from  S5  are  reachable,  i.e.   R  Z)  S5. 

This  implies  that  each  Si  contains  only  reachable  states,  i.e. 

5 
(1)  R  D  U  Si 

1=1 

The  above  arguments  may  be  abbreviated  as  in  table  3.1. 
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REACHABILITY  TREE 

51  n-^    =  N,  sem  =  1 

moves  from  PI  to  P2  lead  to  S2 

52  n,  +  no  =  N,  sem  =  1 

moves  from  P2  to  P4  lead  to  S3 

53  n,  +  n2  =  N-1 ,  n^  =  1. ,  sem  =  0 

moves  from  P2  to  P3  lead  to  S4 

SA   rij^  +  n2  +  n2  =  N-1,  n^  =  1 ,  sem  =  -n2 

moves  from  P4  to  PI  lead  to  S5,  if  no  >  1 

S5  n-^   +   n2  +  n2.=  N,  nj^  >  1 ,  no  >   1,  sem  =  l-n-j 

Table  3.1 

We  will  use  the  REACHABILITY  TREE  in  future  examples  without 
explicitly  noting  that  all  states  represented  in  the  table  are 
reachable. 

The  word  "tree"  in  the  name  of  the  table  is  due  to  the  fact  that 
the  table  can  be  viewed  as  a  directed  graph,  which  is  in  fact  a 
directed  tree.  The  nodes  of  this  graph  are  the  Si  in  the  table  and  the 
arcs  are  pairs  (Si,Sj)  such  that  some  move  starting  at  Si  "leads  to  Sj" 
according  to  the  table.  For  the  semaphore  example  the  nodes  are 
{S1,S2,S3,SA,S5}  and  the  arcs  are  {(SI  ,S2) ,  (S2,S3) , (S3,SA) , (SA,S5) } ,  so 
that  the  tree  is  simply  a  sequence  S1->S2->S3->SA->S5.  For  subsequent 
examples  the  REACHABILITY  TREE  can  be. more  complex. 

Recall  the  restriction  n^  >  1  in  moves  from  SA  to  S5.  Let  us  call 
this  kind  of  restriction  a  branching  condition.  In  the  above  example 
n-j,  the  only  variable  appearing  in  a  branching  condition,  does  not 
change  in  value  during  the  move  controlled  by  the  branching  condition; 
but  sometimes  a  branching  condition  involves  several  variables  some  of 
which  change  in  value  during  the  move.  In  such  a  case  the  predicate 
must  be  true  for  the  states  obtained  after  the  move. 

When  the  number  of  nodes  in  the  REACHABILITY  TREE  is  small  (as  is 
the  case  for  the  simple  semaphore  program) ,  the  REACHABILITY  TREE  can 
be  used  directly  as  an  instrument  to  observe  the  behavior  of  the 
program.    In  other   examples   the  REACHABILITY  TREE   is   large  and 
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reductions  are  helpful.   Let  us  demonstrate  one  such  a  reduction  for 
our  simple  example. 

Consider  the  set  of  sets  "i   =  {S2,S4,S5}.   *  has  the  property  that 
it   is   a  minimal  subset  "of  the  set  *  =  {Sl ,S2,S3,S4,S5 }  such  that  for 
any  element  Si  of  *  there  exists  an  element  Sj  from  "i   such  that   Si   CT 
Sj.   In  fact  we  have  the  following  inclusions: 

INCLUSIONS 

SI  C  S2;  S3  C  S4 

Moreover  none  of  the  elements  from  "i*  is  a  subset  of  any  of  the  other  2 
elements  of  f.   Thus  we  can  omit  SI  and  S3  without  losing  any  states. 

In  the  REACHABILITY  TREE  above,  for  each  set  Si  that  is  an  element 
of  *  we  only  listed  some  of  the  possible  moves.  The  following 
REACHABILITY  SET  DESCRIPTION  (RSD)  is  the  final  product  of  the 
technique.   It  lists,  for  each  Si  in  t,  all  possible  moves. 

REACHABILITY  SET  DESCRIPTION 

S2  n,  +  n2  =  N,  sem  =  1 

moves  from  PI  to  P2  lead  to  * 
moves  from  P2  to  P4  lead  to  84 

54  n^^  +  n2  +  n^  =  N-1,  n^  =  1 ,  sem  =  -no 

moves  from  PI  to  PI  lead  to  * 

moves  from  P2  to  P3  lead  to  * 

moves  from  P3  to  PI  lead  to  * 

moves  from  P4  to  PI  lead  to  S5,  if  n^  >  1 

or  lead  to  S2,  if  n^  =  0 

55  n^  +  n2  +  n-j  =  N,  n-^    >  1 ,  n2  >  1,  sem  =  l-n^ 

moves  from  PI  to  PI  lead  to  * 

moves  from  P2  to  P3  lead  to  * 

moves  from  P3  to  PI  lead  to  *,  if  n,  >  1 

or  lead  to  S2,  if  n^  =  0 

Table  3.2 
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The  phrases  listed  under  the  formulas  for  each  Si  are  called 
directing  phrases .  Each  directing  phrase  represents  a  class  of  moves 
"from  Pi  to  Pj".  We  say  that  these  noves  are  carried  by  the  arc  Pi  -> 
Pj  (of  the  graph  G)  or  that  this  arc  carries  these  moves. 

The  RSD  is  closed  in  the  sense  that  all  moves  are  to  sets  given  in 
the  description;  moreover,  all  possible  moves  are  represented  and  the 
initial  state  belongs  to  S2.  Thus  we  have 

(2)   R  C  S2  U  S4  U  S5. 

Properties  (1)  and  (2)  together  give 

R  =  S2  U  S4  U  S5 

In  subsequent  examples  a  similar  argument  shows  that  R  is  the  union  of 
the  sets  presented  in  the  RSD. 

The  above  analysis  has  actually  involved  a  hidden  assumption  that 
N  is  sufficiently  large.  For  example  when  we  considered  those  states  s 
in  S3  such  that  n2  >  0,  we  tacitly  assumed  that  N  >  1  (or  else  no  such 
s  exists).  For  each  example  in  this  paper  it  is  easy  to  see  that  there 
exists  an  Nq  such  that  for  all  N  >  Ng  all  the  required  states  do  exist. 
In  particular,  for  the  semaphore  example  just  discussed,  one  may  choose 
Nq  =  2.  However,  the  REACHABILITY  TREE  and  the  RSD  tables  are  actually 
valid  for  all  N  >  1  if  interpreted  correctly.  Although  for  small  N 
some  sets  Si  are  empty  and  some  branching  conditions  are  unsatisf iable, 
no  contradiction  arises.  This  may  be  easily  checked  on  a  case-by-case 
basis. 

Before  analysing  the  semaphore  program  using  the  above  RSD  let  us 
make  the  following  general  remarks. 

Note  that  the  RSD  can  be  viewed  as  a  directed  graph  T  that  differs 
from  both  the  graph  A  and  the  REACHABILITY  TREE.  Namely  nodes  of  T  are 
those   sets   Si   appearing   in  the  RSD  and  arcs  of  T   correspond  to  the 
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directing  phrases  associated  with  each  Si.  In  the  semaphore  example  T 
has  3  nodes  corresponding  to  the  3  sets  S2,SA,S5  and  has  11  arcs, 
corresponding  to  the  11  directed  phrases  in  the  RSD.  For  example,  the 
r  contains  arcs  (S2,S2),  (85^55),  and  (S5,S2)  since  the  phrases 

moves  from  PI  to  P2  lead  to  * 

moves  from  P3  to  PI  lead  to  * ,  if  n^  >  1 
or  lead  to  S2,  if  no  =  0 

are  written  under  the  formulas  for  S2  and  S5. 

For  the  reader's  convenience  we  summarize  the  graphs  defined  thus 
far  in  table  3.3. 


Graph 

Node  set 

Elements  of  node  set 

G 

Pl,...,Pk 

program  positions 

A 

R 

reachable  states 

r 

{Si, 

[» •• • »Si^  of 

RSD 

subsets  of  R 

Table  3.3 


Let  p(s)  be  some  predicate  over  the  set  R  of  nodes  of  A ,  i.e.  a 
predicate  over  states  of  the  program  and  S  be  a  subset  of  R.  By  S»p  we 
denote  the  intersection  of  S  with  {s;p( s)  =  true } .  By  A«p  we  denote  the 
subgraph  of  A  induced  by  the  predicate  p,  i.e.  the  subgraph  whose  node 
set  is  R»p  and  whose  arcs  are  those  of  A  connecting  these  nodes.  The 
following  is  a  general  problem  when  analysing  our  programs.  Given  a 


^A  strongly  connected  component  c  in  a  directed  graph  g  is  a  maximal 
subgraph  of  g  such  that  for  any  two  (not  necessarily  different)  nodes 
of  c  there  exists  a  directed  path  in  g  from  the  first  node  to  the 
second . 
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predicate  p  find  all  strongly  connected  components  (SCCs)  in  A»p.  To 
find  these  SCCs  one  executes  the  following  procedure  called  FIND  SCC. 

Step  1.  Let  {Sij^ ^^n  ^  ^^  ^'~'^'   ^^^^    constituting  the  RSD   (these 

sets  are  also  nodes  of  F) .  Eliminate  from  F  those  Si  for  which 
corresponding  sets  Si«p  are  empty  and  eliminate  all  arcs  adjacent  to 
these  nodes.  Note  that  a  directing  phrase  can  be  viewed  as  a  set  of 
pairs  of  states  and  eliminate  each  arc  whose  corresponding  directing 
phrase  does  not  contain  a  pair  both  of  whose  components  satisfy  p. 
(Note  that  the  first  elimination  is  a  special  case  of  the  second) .  The 
graph  obtained  is  called  r»p. 

Step  2.  Find  all  SCCs  in  r#p.  For  each  SCC  L  generate  its 
description,  i.e.  list  every  S^»p  with  its  formula  and  for  each  S^»p 
list  all  directing  phrases  (i.e.  arcs  in  F)  not  eliminated.  Let  Gt  be 
a  subgraph  of  G,  consisting  of  those  arcs  of  G  that  carry  the  moves 
represented  in  the  directed  phrases  of  L  (and  the  vertices  adjacent  to 
these  arcs) . 

Step  3.  Find  all  SCCs  of  each  graph  Gj^  constructed  in  step  2. 

At  the  end  of  this  section  we  will  prove  that  if  there  exists  a 
non-empty  SCC  K  in  A*p,  then  at  least  one  SCC  L  in  r«p  will  be 
non-empty  and  the  corresponding  G^  will  contain  at  least  one  SCC  M, 
whose  arcs  carry  all  moves  of  K. 

It  is  important  to  note  that  once  the  RSD  is  given  procedure  FIND 
SCC  can  be  automated  for  a  large  class  of  predicates. 

Now  we  interrupt  our  general  remarks  and  apply  the  RSD  to  verify 
the  semaphore  program.   Since  (Al)  is  equivalent  to: 

-  n^  <  1  for  all  states, 

it  follows  immediatly  from  the  RSD. 
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Note  that  generally  any  assertion  like  predicate{state)  can  be 
easily  verified  using  the  RSD. 

To  express  (A2)  in  terms  of  the  description,  we  introduce  the 
finite  delay  property  (FBP). 

We  say  that  a  cycle  in  A  satisfies  the  FDP  if  for  every  position 
Pi  such  that  n.  >  0  for  some  state  on  the  cycle,  there  is  a  move  from 
Pi  that  corresponds  to  a  transition  from  a  (possibly  different)  state 
of  the  cycle. 

Note  that  the  FDP  fails  for  some  cycle  in  A  if  and  only  if  there 
is  a  position  Pi  such  that  n.  is  a  positive  constant  during  the  cycle 
(i.e.  no  PE  enters  or  leaves  Pi  during  the  cycle  execution  and  there 
is  at  least  one  PE  at  Pi).^ 

Now  (A2)  can  be  expressed  as: 

there  are  no  cycles  satisfying  the  FDP  such  that  n^  =  0  for  all 
states  on  the  cycle. 

First  we  consider  the  case  N  >  Nq  =  2.  The  problem  is  to  observe 
all  SCCs  in  A  satisfying  the  condition  n^  =  0  for  all  states  that  form 
the  sec.   To  do  so  let  us  apply  the  procedure  FIND  SCC  for  p(s)={n^=0}. 


°This  definition  of  the  FDP  appears  to  be  weaker  than  the  one  commonly 
used:  the  usual  FDP  means  that  all  PEs  have  finite  delays. 
Consequently  it  fails  if  one  PE  stays  at  a  position  Pi  during  the  cycle 
execution.  However,  we  could  prove  that  our  (weak)  FDP  is  equivalent 
to  the  strong  FDP  if  we  refined  the  notion  of  the  program  state  to 
include  the  identification  of  which  PEs  (rather  than  how  many  of  them) 
are  at  each  point  In  the  program.  Then  we  could  establish  that  given  a 
cycle  of  the  program  execution  satisfying  the  weak  FDP,  one  can  arrange 
a  cycle  of  the  program  execution  satisfying  the  strong  FDP  and  running 
through  the  same  states  as  the  first  one.  Note  that  these  cycles  lie 
not  in  A  but  in  its  refinement  corresponding  to  the  refined  notion  of 
state  just  given. 
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Step  1  gives  the  graph  T*p   cf  wl;e  fora: 

S2»p  n,  +n2=N,  sem  =  1 
moves  from  PI  to  P2  lead  to  * 

S5»p  n^   +n2  +n3  =N,  n-^    >   1,  n^  >  1,  scm  =  l-n^ 
moves  from  PI  to  PI  lead  to  * 
moves  from  P2  to  P3  lead  to  * 
moves  from  P3  to  PI  lead  to  *,  if  n^  >  1 
or  lead  to  S2»p,  if  n^  =  0 


Note  that  to  obtain  r«p  from  the  RSD  table  we  have  crossed  out  node  S4 
and  all  directing  phrases  associated  with  it  (because  S4»p  is  empty) 
and  the  phrase 

moves  from  P2  to  P4  lead  to  S4 

associated  with  node  S2. 

Now  we  proceed  through  step  2  and  find  out  that  r»p  has  the 
following  two  SCCs  (which  corresponds  to  the  graphs  L  in  the  procedure 
FIND  sec). 

First  sec  in  r»p  (L  =  LI): 

S2»p  nj^  +  n2  =  N,  sem  =  1 
moves  from  PI  to  P2  lead  to  * 

Second  SCC  in  T  (L  =  L2): 

S5»p  nj^  +  n2  +  n3  =  N,  nj^  >  1 ,  n3  >  1,  sem  =  l-n3 
moves  from  PI  to  PI  lead  to  * 
moves  from  P2  to  P3  lead  to  * 
moves  from  P3  to  PI  lead  to  *,  if  n^  >  1 


Now  we  go  to  step  3  of  the  procedure  and  work  with  each  SCC 
separately.  LI  corresponds  to  the  subgraph  G-^-^    (^  G  which  has  no  SCC. 
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L2  gives  the  subgraph  0^2  C  G  of  the  form  P2  ->  P3  ->  PI  ->  PI 
which  in  turn  has  only  one  SCC,  namely  PI  ->  PI. 

Now  we  see  that  the  loop  PI  ->  PI  can  carry  the  only  class  of  SCCs 
in  A,  namely 

S5»p  n^+n2+n3=N,  n^  >1,  n^  >1,  sem  =  l-n^ 
moves  from  PI  to  PI  lead  to  * 

But   none   of   these  SCCs  satisfies  the  FDP,  because  n^  >  1  for  S5»p  but 
there  is  no  move  from  P3.  This  verifies  (A2)  for  N  >  Nq. 

For  N  <  Nq  some  sets  Si  become  empty  and/ or  some  branching 
conditions  become  unsatisf iable.  But  this  only  makes  our  task  easier 
by  eliminating  some  cycles . 

In  subsequent  examples  we  will  not  consider  the  case  N  <  Nq 
separately. 

Now  we  return  to  the  discussion  of  the  procedure  FIND  SCC  in  the 
general  case  and  prove  that  if  there  exists  a  SCC  K  in  A«p,  then,  by 
applying  FIND  SCC,  one  obtains  both  a  SCC  L  in  r«p  such  that  each  node 
s  of  K  lies  in  some  node  Si»p  of  L  and  a  SCC  M  in  G,  that  contains  arcs 
carrying  all  moves  represented  by  directing  phrases  of  L.  To  prove  this 
fact  we  will  actually  build  the  graphs  L  and  M  for  a  given  SCC  K. 

To  build  L  we  let  S|->. .  .->s^->s  j^  be  a  cycle  in  K  including  every 
state  (such  a  cycle  exists  since  K  is  a  SCC).  We  associate  with  this 
cycle  an  infinite  sequence  f>=  {Si^  •p,Si2»p,  • .  •  }  of  nodes  of  r»p  as 
follows.  State  Sj^  lies  in  some  set  Sij^»p,  which  we  define  to  be  the 
first  term  of  the  sequence.  To  the  transition  Si->S2  there  is 
associated  an  arc  in  r»p  (i.e.  a  directing  phrase  written  under  the 
description  of  Si^»p)  which  was  not  eliminated.  This  arc  leads  to  some 
Si2><p,   which   we   define    to   be    the   second   term,   etc.    Let 

{Si^  wp,  . . .  ,Sijj|_i^  ©p}  be  the  largest  initial  segment  of  Q  composed  of 
distinct   nodes   of   r»p.   (Such  a  segment  exists  since  r«p  is  a  finite 

graph).   Hence  Si  •p  =  Si^»p  for  some  l<r<m.   Then  except  for  the  first 
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m-1  terms,  ^  is  an  infinitively  repeating  cycle  Si  •p->  ... 
->Si  Op->Si_«p.  It  is  easy  to  see  that  the  subgraph  L'  of  r»p  induced 
by  the  set  of  nodes  Si^»p,Sij.^]^  •p, . . .  ,Si^»p  constituting  the  cycle  is 
strongly-connected.  We  now  define  L  to  be  any  SCC  in  r«p,  containing 
L' .  Since  by  construction  L'  has  the  property  that  each  node  s  of  K 
lies  in  some  node  Si«p  of  L' ,  so  does  L. 

To  build  M  we  consider  the  same  cycle  Sj^->. .  .->s^->S2^  in  K.  Now  we 
associate  with  each  move  s.->s^^.j^  of  this  cycle  an  arc  in  the  graph  G 
that  carries  this  move.  Arcs  of  G  may  be  chosen  several  times  and  we 
consider  them  with  their  multiplicities.  The  set  of  arcs  with  the  set 
of  their  endpoints  forms  a  directed  graph  M"  that  is  connected  and  has 
the  property  that  for  each  node,  the  number  of  input  arcs  is  equal  to 
the  number  of  output  arcs  (counting  the  multiplicities).  It  follows 
from  this  that  M"  is  strongly-connected.  Now  based  on  M"  we  form 
another  graph  M'  by  eliminating  multiplicities  from  M" .  M'  is  a 
subgraph  in  G  and  is  also  strongly-connected  since  M"  is.  Clearly  M' 
d  G^«  Finally,  we  define  M  to  be  a  SCC  in  &j^  containing  M'  .  Since 
the  arcs  of  M'  carry  all  moves  represented  by  directing  phrases  of  L, 
so  do  the  arcs  of  M. 

Thus  we  have  proved  that  the  procedure  FIND  SCC  is  correct  in  the 
sense  explained  above. 


4.  "Busy-wait"  synchronization. 


In  this  section  we  will  analyse  a  synchronisation  primitive 
routine  which  was  suggested  by  Malvin  Kalos  and  the  author  of  this 
paper  and  then  was  used  in  many  scientific  application  codes  developed 
in  the  "Ultracomputer  Project"  (see,  for  example,  [6]).  The  purpose  of 
this  routine  is  to  trap  PEs  until  all  of  them  complete  a  previous 
asjmchronous  section  and  then  to  release  them  for  execution  of  another 
asynchronous  section.   Counters  sem(l)  and  sem(2)  are  used  to  calculate 
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the  number  of  PEs  trapped  by  the  routine.  They  work  in  a  flip-flop 
manner  so  that  sem(l)  /  sem(2)  is  used  by  all  odd  /  even  invocations  of 
the  routine.  The  private  variable  index  is  1  (or  is  2)  for  odd  (or 
even)  invocations.  Initially  sem(l)  =  sem(2)  =  0,  index  =  1.  (We  leave 
to  the  reader  the  task  of  showing  that  using  only  one  semaphore  will 
lead  to  a  bug) . 

COMMENT  asynchronous  section 

PI:   {...} 
COMMENT  entry  to  the  synchronization  routine 

P2:   if  (REPADD  (sem( index) , 1)  >   N)  then  go  to  P4 

COMMENT  all  PES  but  the  last  one  do  the  following 

P3:   if  (sem( index)  >  1)  then  go  to  * 
index  <-  3-index 
go  to  PI 

COMMENT  the  last  PE  does  the  following 

P4:   sem( index)  <-  0 
index  <-  3-index 
go  to  PI 

We  want  to  verify  the  following  assertions  about  the  program: 

(Al)  No  one  PE  can  get  to  the  next  asynchronous  section  PI  while 
some  PE  is  still  in  the  previous  asynchronous  section  PI. 

(A2)  No  one  PE  can  be  trapped  in  the  routine  P2,P3,P4  for  ever. 

We  are  not  able  to  analyse  this  program  as  is  since  it  has  the 
private  variable  index.  We  can  easily  get  rid  of  index  by  replicating 
the  code  two  times.  Moreover  since  "PI:  {...}"  is  a  basic  block  (i.e. 
single  entry  single  exit)  and  does  not  alter  sem(index),  its  presence 
does  not  effect  our  analysis  and  we  can  get  rid  of  it  too.  Using  both 
of  this  methods  we  obtain  the  following  code: 
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Pl:   if  (REPADD  (sem(l),l)  >  N)  then  go  to  P3 

P2:   if  (sem(l)  >  1)  then  go  to  * 
go  to  P4 

P3:   sem(l)  <-  0 

PA:   if  (REPADD  (seTn(2),l)  >  N)  then  go  to  P6 

P5:   if  (sem(2)  >  1)  then  go  to  * 
go  to  PI  ■         . 

P6:   sein(2)  <-  0 
go  to  PI 

Note  that  indivisibility  of  the  operations  sem(i)  <-  0  is  provided  by 
our  interpretation  of  abstract  programs  (see  section  2).  However  in 
this  particular  example  one  can  use  the  same  operations  sem(i)  <-  0 
without  any  care  about  their  possible  divisibility  in  the  concrete 
program.  The  indivisibility  follows  from  the  RSD  below.  Namely  a 
maximum  of  one  PE  can  stay  in  P3  and  P6. 

Now  the  properties  (Al),  (A2)  can  be  expressed  in  the  form: 

(Al)  No  one  PE  can  get  to  the  section  P4  while  some  PE  is  still  in 
the  section  PI;  no  one  PE  can  get  to  the  section  PI  while  some  PE  is 
still  in  the  section  P4. 

(A2)  For  any  time  t  such  that  there  are -PEs  in  the  section  PI,  P2, 
P3  (odd  call)  at  moment  t  there  exists  a  time  t'>t  such  that  no  PEs  are 
in  the  section  PI,  P2,  P3  at  moment  t';  for  any  time  t  such  that  there 
are  PEs  in  the  section  P4,  P5,  P6  (even  call)  at  moment  t  there  exists 
a  time  t'>t  such  that  no  PEs  are  in  the  section  P4,  P5,  P6  at  moment 
t'. 
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REACHABILITY  TREE 

51  n^  =  N,  sem(l)  =  seni(2)  =  0 
moves  from  PI  to  P2  lead  to  S2 

52  n^  +  n2  =  N,  1  <  nn  <  N-2 , 
sem( 1 )  =  n2,  sem(2)  =  0 

moves  from  PI  to  P2  lead  to  S3,  if  n2  =  N-1 

53  n^  =  1,  no  =  N-1,  sem(l)  =  N-1,  sem(2)  =  0 
moves  from  p1  to  P3  lead  to  34 

54  n2  =  N-1,  113  =  1,  sem(l)  =  N,  sem(2)  =  0 
moves  from  P3  to  P4  lead  to  35 

35   n2  =  N-1,  n^  =  1,  sem(l)  =  sem(2)  =  0 
moves  from  P2  to  P4  lead  to  36 

S6   n2  +  n4  =  N,  n^  >  1,  sem(l)  =  sem(2)  =  0 
moves  from  P4  to  P5  lead  to  37 

37  n2  +  n^  +  n5  =  N,  1  <  n5  <  N-2, 
sem(l)  =  0,  sem(2)  =  tir 
moves  from  P4  to  P5  lead  to  38,  if  n^  =  N-5 

S8  n2  +  n^  =  1,  n3  =  N-1,  sem(l)  =  0,  sem(2)  =  N-1 
moves  from  P4  to  P6  lead  to  S4' 

S4'  n5  =  N-1,  n^   =  1,  sem( 1 )  =  0,  sem(2)  =  N 
moves  from  P6  to  PI  lead  to  35' 


Table  4.1 

The  rest  of  the  tree  is  omitted  in  table  4.1.  It  consists  of  sets 
S5' ,S6' ,S7' ,38' ,  that  are  connected  and  their  descriptions  are  the  same 
as  those  of  35,  36,  S7,  38,  respectively,  where  symbols  P(l+i),  n,^. 
are  interchanged  with  symbols  P(l+j),  nj^^.,  respectively,  for  i=0,l,2 
and  j=(i+3)mod6,  and  sem(l)  is  interchanged  with  symbol  sem(2).  Note 
that  the  description  of  the  set  34'  can  be  obtained  from  that  of  34  in 
the  same  manner. 

INCLUSIONS 
31  C  S6';  32  C  37';  33  C  S8';  35  C  S6;  35'  C  36' 
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REACHABILITY  SET  DESCRIPTION 

S4   n2  =  N-1 ,  n3  =  1 ,  seiii(l)  -  N,  seun^Z)  =  0 
moves  from  P2  to  P2  lead  to  ^ 
moves  from  P3  to  P4  lead  to  S6 

S6  n2  +  n4  =  N,  n4  >   I,  sem(l)  =  sem(2)  =  0 
moves  from  P2  to  P4  lead  to  * 
moves  from  P4  to  P5  lead  to  37 

37  n2  +  n4  +  n5  =  N,  1  <  n5  <  N-2, 
sem(l)  =  0,  sem(2)  =  ric 

moves  from  P2  to  P4  lead  to  * 

moves  from  P4  to  P5  lead  to  *,  if  iir  <  N-2 

or  lead  to  38,  if  n^  =  N-1 

moves  from  P5  to  P5  lead  to  * 

38  n2  +  n^  =  1,  n5  =  N-1,  sem(l)  =  0,  sem(2)  =  N-1 
moves  from  P2  to  P4  lead  to  * 

moves  from  P4  to  P6  lead  to  S4' 
moves  from  P5  to  P5  lead  to  * 

34'  n5  =  N-1,  n^  =  1,  sem(2)  =  N,  sem(l)  =  0 
moves  from  P5  to  P5  lead  to  * 
moves  from  P6  to  PI  lead  to  36' 

36'  n^  +  11]^  =  N,  n^  >   1,  sem(2)  =  sem(l)  =  0 
moves  from  P5  to  PI  lead  to  * 
moves  from  PI  to  P2  lead  to  37' 

37'  n^  +  n^  +  n2  =  N,  1  <  n2  <  N-2, 
sem(2)  =  0,  sem(l)  =  n2 
moves  from  P5  to  PI  lead  to  * 
moves  from  PI  to  P2  lead  to  *,  if  n2  <  N-2 

or  lead  to  38',  if  n2  =  N-1 
moves  from  P2  to  P2  lead  to  * 

38'  n3  +  n^  =  1,  n2  =  N-1,  sem(2)  =  0,  sem(l)  =  N-1 
moves  from  P5  to  PI  lead  to  * 
moves  from  PI  to  P3  lead  to  34 
moves  from  P2  to  P2.1ead  to  * 


Table  4.2 
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Since  (Al)  is  equivalent  to: 


-  n^  X  n^  <  1  for  all  states 


it  follows  immediately  from  the  description. 

(A2)  can  be  expressed  in  the  form: 

-  there  are  no  cycles  satisfying  the  FDP  such  that  n^^  +  n2  +  no  > 
1  along  all  states  on  the  cycle; 

and  there  are  no  cycles  satisfying  the  FDP  such  that  n^  +  nc  +  n^  >      1 
along  all  states  on  the  cycle. 

We  will  prove  only  the  first  part  of  the  assertion  as  the  second 
part  will  then  be  true  by  symmetry. 

We  apply  the  procedure  FIND  SCC  of  section  3  to  obtain  all  SCCs  of 
A,  all  states  of  which  satisfy  the  predicate  p(s)  =  {n,  +  no  +  no  >   l}. 

Step  1  gives  the  graph  r»p  as  in  table  4.3. 
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S4»p  no  =  N-1,  n3  =  1,  sem(l)  =  N,  sem(2)  =  0 
moves  from  P2  to  P2  lead  to  * 
moves  from  P3  to  P4  lead  to  S6*p 

S6«p  n2  +  n4  =  N,  n^  >  1,  n2  >  1,  sem(l)  =  sem(2)  =  0 
moves  from  P2  to  P4  lead  to  * 
moves  from  P4  to  P5  lead  to  S7»p 

S7»p  n2  +  n4  +  n5  =  N,  1  <  nc  <  N-2,  n2  >  1 , 
semtl)  =  0,  sem(2)  =  rir 
moves  from  P2  to  P4  lead  to  * 
moves  from  P4  to  P5  lead  to  *,  if  iic  <  N-2 

or  lead  to  S8»p,  if  ric  =  N-1 
moves  from  P5  to  P5  lead  to  * 

S8»p  n2  +  n4  =  1,  n5  =  N-1,  n2  >   1,  sem(l)  =  0,  sem(2)  =  N-1 
moves  from  P2  to  P4  lead  to  * 
moves  from  P5  to  P5  lead  to  * 

S6'«p  n^  +  n^  =  N,  n^  >  1,  sem(2)  =  sem(l)  =  0 
moves  from  P5  to  PI  lead  to  * 
moves  from  PI  to  P2  lead  to  S7'»p 

S7'«p  nr  +  nj^  +  n2  =  N,  1  <  n2  <  N-2, 
sem(2)  =  0,  sem(l)  =  n2 
moves  from  P5  to  PI  lead  to  * 
moves  from  PI  to  P2  lead  to  *,  if  n2  <  N-2 

or  lead  to  S8'»p,  if  n2  =  N-1 
moves  from  P2  to  P2  lead  to  * 

S8'»p  Tic  +  nj^  =  1 ,  n2  =  N-1,  n^^  +  n2  >  1, 
sem(2)  =  0,  sem(l)  =  N-1 
moves  from  P5  to  PI  lead  to  * 
moves  from  PI  to  P3  lead  to  S4«p 
moves  from  P2  to  P2  lead  to  * 


Table  4.3 

Step  2  gives  the  following  7  SCCs  in  r»p: 

1-st  sec  in  r»p: 

S4»p  n2  =  N-1,  n3  =  1,  sem( 1 )  =  N,  sem(2)  =  0 
moves  from  P2  to  P2  lead  to  * 

2-nd  sec  in  r«p: 

S6»p  n2  +  n4  =  N,  n4  >  1 ,  n2  >  1,  sem(l)  =  sem(2)  =  0 
moves  from  P2  to  P4  lead  to  * 

3-rd  sec  in  r»p: 
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S7»p  n2  +  n^  +  n5  =  N,  n2  >  I,    1  ^  r\^    <  N-2, 
semtl)  =  0,  seTn(2)  =  tic 

moves  from  P2  to  P4  lead  to  * 

moves  from  P4  to  P5  lead  to  * ,  if  n^  <  N-2 

moves  from  P5  to  P5  lead  to  * 

4-th  sec  in  r»p: 

S8»p  n2  +  n^  =  1,  n5  =  N-1 ,  TI2  >  1,  sem(l)  =  0,  sem(2)  =  N-1 
moves  from  P2  to  P4  lead  to  * 
moves  from  P5  to  P5  lead  to  * 

5-th  sec  in  r»p: 

S6'»p  nr  +  n^  =  N,  n^  >  1,  sem(2)  =  sem( 1 )  =  0 
moves  from  P5  to  PI  lead  to  * 

6-th  see  in  r«p: 

S7'»p  nr  +  n^  +  n2  =  N,  1  <  n2  <  N-2, 
sem(2)  =  0,  sem(l)  =  n2 
moves  from  P5  to  PI  lead  to  * 
moves  from  PI  to  P2  lead  to  *,  if  n2  <  N-2 
moves  from  P2  to  P2  lead  to  * 

7-th  see  in  r«p: 

S8'«p  n^  +  nj^  =  1,  n2  =  N-1,  nj^  +  n2  >  1, 
sem(2)  =  0,  sem(l)  =  N-1 
moves  from  P5  to  PI  lead  to  * 
moves  from  P2  to  P2  lead  to  * 


Step  3  gives  the  following  two  loops  as  SCCs  in  graphs  G^  for  L 
equal  to  the  1-st,  3-rd,  4-th,  6-th,  or  7-th  SCC  in  r»p:  P2  ->  P2  and 
P5  ->  P5.   These  loops  can  carry  the  following  5  classes  of  SCCs  in  A: 

S4»p  no  =  N-1,  n3  =  1,  n2  >  1,  sem(l)  =  N,  sem(2)  =  0 
moves  from  P2  to  P2  lead  to  * 

S7»p  n2  +  n^  +  n5  =  N,  1  «:  n5  <  N-2,  n2  >  1, 
semtl)  =  0,  sem(2)  =  nc 
moves  from  P5  to  P5  lead  to  * 

S8»p  n2  +  n^  =  1,  05  =  N-1,  n2  ^  1,  sem(l)  =  0,  sem(2)  =  N-1 
moves  from  P5  to  P5  lead  to  * 

S7'»p  nc  +  ni  +  n2  =  N,  1  <  n2  <  N-2, 
sem(2)  =  0,  sem(l)  =  n2 
moves  from  P2  to  P2  lead  to  * 
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S8'»p  iir  +  nj^  =  1,  n2  =  N-1 ,  n^  +  n2  >  1, 
sem(2)  =  0,  sem(l)  =  N-1 
moves  from  P2  to  P2  lead  to  * 


But  none  of  these  SCCs  satisfies  the  FDP,  because  for  any  SCC 
there  is  a  position  Pi  such  that  n^  is  a  positive  constant  for  all 
states  of  the  SCC.  (For  example  any  SCC  from  S7»p  satisfyes  condition 
^2    =   const  >  1).  This  proves  (A2). 


5.  "Cessation  of  activity"  synchronization. 

The  need  in  this  synchronization,  described  in  [5]  arises  in 
"producer-consumer"  programs.  When  the  supply  of  produced  data  is 
empty  and  there  is  no  hope  that  any  PE  will  produce  more  data,  all  PEs 
are  to  be  trapped  in  a  special  section  that  registers  "cessation  of 
activity".  As  long  as  data  can  appear,  no  PEs  should  be  trapped.  The 
comprehensive  representation  of  this  example  is  rather  complicated  and 
requires  us  to  represent  not  only  the  "cessation  of  activity"  routine 
but  also  the  maintainance  of  upper  and  lower  bounds  for  buffer  of 
stored  data,  and  the  "overflowed  buffer"  synchronization  routine.'' 

We  will  not  represent  here  all  these  programs  because  the  analysis 
of  them  together  is  beyond  the  "manual"  level  and  requires  some 
automatization.  Hoping  that  such  automatization  is  possible,  we 
represent  here  an  idealized  version  of  "cessation  of  activity" 
synchronization.  The  first  step  of  idealization  is  to  consider  a 
buffer  of  unlimited  size.  Then  the  program  would  have  the  following 
form,  where  b   is  the  upper  bound   for  the  number  of  pieces  of 


'The  "overflowed  buffer"  state  means:  all  PEs  have  produced  data  but  no 
room  is  left  in  the  buffer.  Logically  the  "overflowed  buffer" 
situation  is  the  same  as  "cessation  of  activity".  (Interchange 
"consuming"  with  "producing",  the  state  "buffer  empty"  with  the  state 
"buffer  full"). 
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information  in  the  buffer,  w  is  the  counter  for  the  number  of  PEs 
sitting  inside  the  control  appendix.  Initially  w  =  0.  The  initial 
value  of  b  is  immaterial  providing  b  >  0. 


COMMENt  distributor 

PI:   work  with  data  (produce  or  consume) 

go  to  P2  (to  insert  a  new  piece  of  data) 

or  to  P3  (to  delete  one  previously  stored  piece  of  data) 

COMMENT  insertion  section 

P2:   REPADD  (b,l) 

insert  a  piece  of  data  into  the  buffer 
go  to  PI 

COMMENT  deletion  section 

P3:   if  (b  <  0)  then  go  to  P6 

P4:   if  (REPADD  (b,-l)  <  -1)  then  go  to  P5 
delete  a  piece  of  data  from  the  buffer 
go  to  PI 

P5:   REPADD  (b,l) 
go  to  P6 

COMMENT  control  appendix 

P6:   REPADD  (w,l) 

P7:   if  (b  <  0)  then  go  to  P9 

COMMENT  recover  from  control  appendix 

P8:   REPADD  (w,-l) 
go  to  P3 

P9:   if  (w  <  N-1)  then  go  to  P7 

COMMENT  registration  of  cessation  of  activity 

PIO:   go  to  * 
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Unfortunately  this  program  does  not  allow  any  compact  REACHABILITY 
TREE:  to  exhaust  all  reachable  sets  one  has  at  least  to  exhaust  the 
buffer.  (In  section  7  we  consider  another  example  of  the  program  that 
does  not  allow  a  compact  REACHABILITY  TREE).  The  next  step  of 
Idealization  is  to  eliminate  counter  b.  Instead  of  b  we  introduce  the 
binary  flag  e:  e  =  1  if  the  buffer  is  empty,  e  =  0  otherwise. 
Initially,  e  =  0.  Now  the  program  has  the  following  form: 

PI:   go  to  P2  or  P3 

P2:   e  <-  0 
go  to  PI 

P3:  if  (e  =  1)  then  go  to  P6 

P4:   go  to  PI  or  P5 

P5:   e  <-  1 
go  to  PI 

P6:   REPADD  (w,l) 

P7:   if  (e  =  1)  then  go  to  P9 

P8:   REPADD  (w,-l) 
go  to  P3 

P9:   if  (w  <  N-1)  then  go  to  P7 

PIO:   go  to  * 


Note  that  in  the  code,  exterior  positions  (PI,  P^  and  PIO)  appear 
for  the  first  time  in  our  examples.  We  will  not  discuss  here  the 
correspondence  between  the  latter  program  and  the  original  one.  (It 
can  be  proved  that  for  each  history  of  the  latter  program  there  is  a 
corresponding  history  of  the  former.  The  opposite  is  not  true).  Note, 
that  indivisibility  of  the  operations  e  <-  0  and  e  <-  1  is  provided  by 
our  interpretation  of  abstract  programs  (see  section  2).  If  one  wants 
to  use  this  code  as  a  concrete  program  one  has  to  provide  the 
indivisibility  somehow. 
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We  want  to  verify  the  follovjing  assertions  about  this  program: 

(Al)  If  there  is  nc  data  to  work  (e  =  1)  for  any  time  t  >  tp  then 
there  exists  such  a  time  t2  that  for  all  t  >  t2  all  PEs  are  registered 
as  free  from  activity  (hj^q  =  N). 

(A2)  If  there  are  FEs  registered  as  free  from  activity  (n^Q  >  1) 
at  any  time  t^  then  for  any  time  t  >  tj^  there  is  no  data  to  work  (e  = 
1). 

The  REACHABILITY  TREE,  INCLUSIONS  and  RSD  are  represented  in 
tables  5.1,  5.2. 

■  REACHABILITY  TRJEE 

51  n^  =  N,  e=  0,  w  =  0 

moves  from  PI  to  P2  lead  to  S2  . 

52  n^  +  n2  =  N,  e=  0,  w  =  0 
moves  from  PI  to  P3  lead  to  S3 

53  nj^  +  no  +  n3  =  N,  e=  0,  w  =  0 
moves  from  P3  to  P4  lead  to  S4 

54  n^  +...+  n^  =  N,  e=  0,  w  =  0 
moves  from  P4  to  P5  lead  to  S5 

85  n^  +. ..+  n5  -  N,  e=  0,  w  =  0 
moves  from  P5  to  PI  lead  to  S6 

56  n^   +...+  n5  =  N,  n^  >  1,  e  =  1,  w  =  0 
moves  from  PI  to  P2  lead  to  S7 

57  n-^   +.  . .+  n^  =  N,  nj^  +  n2  >  1,  e  =  1,  w  =  0 
moves  from  PI  to  P3  lead  to  S8 

58  n^  +.  . .+  nc  =  N,  nj^  +  n2  +  n^  >  1,  e  =  1,  w  =  0 
moves  from  P3  to  P6  lead  to  89 

59  n^  +. . .+  n^  =  N,  n^  +  n2  +  n-j  +  n^  >  1,  e  =  1 ,  w  =  0 
moves  from  P2  to  PI  lead  to  SIO 

510  n^  +...+  n^  =  N,  nj^  >  1,  e  =  0,  w  =  0 
moves  from  PI  to  P2  lead  to  Sll 

511  n^  +...+  n^  =  N,  n^  +  no  >  1,  e  =  0,  w  =  0 
moves  from  PI  to  P3  lead  to  S12 
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512  n-^   +...+  n^  =  N,  rij^  +  n2  +  n3  >  1,  e  =  0,  w  =  0 
moves  from  P3  to  P4  lead  to  S13 

513  n^^  +.  . .+  n^  =  N,  n^i  +. . .+  n^  >  1,  e  =  0,  w  =  0 
moves  from  P4  to  P5  lead  to  Sli 

514  xi-^   +. . .+  n^  =  N,  n-^   +. . .+  ric  >  1,  e  =  0,  w  =  0 
moves  from  P6  to  P7  lead  to  S15 

515  iij  +. . .+  n-j   =  N,  n^   +. . .+  nc  >  1,  e  =  0, 
ny  <  N-1 ,  w  =  ny 

moves  from  P7  to  P8  lead  to  S16 

516  n.-^   +. . .+  ng  =  N,  nj^  +...+  n^  >  I,  e  =  0, 
ny  +  ng  <  N-1 ,  w  =  ny  +  ng 

moves  from  P5  to  PI  lead  to  S17 

517  n^   +...+  ng  =  N,  nj^  >  1,  e  =  1, 
ny  +  ng  <  N-1 ,  w  =  ny  +  ng 

moves  from  PI  to  P2  lead  to  S18 

518  nj^  +. . .+  ng  =  N,  nj^  +  n2  >  1,  e  =  1, 
ny  +  ng  <  N-1 ,  w  =  ny  +  ng 

moves  from  PI  to  P3  lead  to  S19 

519  nj^  +. , .+  ng  =  N,  nj  +  n2  +  n^  >  1,  e  =  1, 
ny  +  ng  <  N-1 ,  w  =  ny  +  ng 

moves  from  P7  to  P9  lead  to  S20 

520  n^^  +. . ,+  ng  =  N,  nj^  +  n2  +  n3  >  1,  e  =  1, 
ny  +  ng  +  ng  <  N-1 ,  w  =  ny  +  ng  +  ng 

moves  from  P3  to  P6  lead  to  S21 

521  nj^  +. . .+  ng  =  N,  n^^  +  n2  +  n^  +  n^  >  1»  e  =  1, 
ny  +  ng  +  ng  <  N-1 ,  w  =  ny  +  ng  +  ng 

moves  from  P2  to  PI  lead  to  S22 

moves  from  P6  to  P7  lead  to  S27,  if  ny  +  ng  +  ng  <  N-1 
or  lead  to  S29,  if  ny  +  ng  +  ng  =  N 


522  n^^  +. . .+  ng  =  N,  nj^  >  1,  e  =  0,  w  =  ny  +  ng  +  ng 
ny  +  ng  +  ng  <  N-1 

moves  from  PI  to  P2  lead  to  S23 

523  nj^  +..,+  ng,  =  N,  nj^  +  n2  >  1,  e  =  0,  w  =  ny  +  ng  +  ng, 
ny  +  ng  +  ng  <  N-1 

moves  from  PI  to  P3  lead  to  S24 


524  n^^  +. . .+  ng  =  N,  n^^  +  n2  +  n3  >  1,  e  =  0, 
ny  +  ng  +  ng  <  N-1 ,  w  =  ny  +  ng  +  ng 

moves  from  P3  to  P4  lead  to  S25 

525  n^   +. . .+  ng  =  N,  n^  +. . .+  n^  >  1,  e  =  0, 
ny  +  ng  +  ng  <  N-1 ,  w  =  ny  +  ng  +  ng 

moves  from  P4  to  P5  lead  to  S26 
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526  n^   +.  .  .+  ng   =  N,    rij^   +...-(•  Uc    >    1,    e   =   0, 

Hy      +     ng     +     ng       <     N" 1 ,      W     =      Hy      +     Hg      +     Hg 

527  Uj^   +. .  .+  ng   =  N,    e   =    1 .    Hi    -^  n2   +  no   +  n^  +  riy    <*   1 , 

Tly     +    ng    +    ng      <    N-1  ,     W    =     riy    +    Hg    +    ng 

moves  from  P7  to  P9  lead  to  S28 

528  rij^  +.  .  .+  ng  =  N,  e  =  1,  n^  +  n2  +  n^  +  n^  +  n-,  +  ng  >    1, 
Hy  +  ng  +  ng  <  N-1 ,  w  =  ny  +  ng  +  ng 

529  ny  +.. .+  ng  =  N  e  =  1,  w  =  N 

moves  from  P9  to  PIO  lead  to  S30 

530  ny  +...+  n^Q  =  N,  e  =  1,  w  =  N 

moves  from  P8  to  P3  lead  to  S31 

531  n^  +  ny  +  ng  +  ng  +  n,Q  =  N,  e  =  1,  n^  >  1, 
ny  +...+  n^Q  <  N-1,  w  =  ny  +...+  niQ 

moves  from  P3  to  P6  lead  to  S32 

532  n^  +  n^  +  ny  +  ng  +  ng  +  n-^Q   =  N,  e  =  1 ,  n2  +  n^  >  1 , 
ny  +...+  n^Q  <  N-1,  w  =  ny  +...+  niQ 


INCLUSIONS 

SI  C.««C  S5  C  S26; 

SIO  G"'C  S16  C  S26; 

S6  O-.C  S9  C  S28;- 

S17  C--.C  S21  C  S27  C  S28; 

S29  C  S30; 

S31  C  S32 


Table  5.1 
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REACHABILITY  SET  DESCRIPTION 


S26  ni  +. 


^7 


+  nc 


moves 
moves 
moves 
moves 
moves 
moves 
moves 
moves 
moves 
moves 
moves 


no  =  N,  rii  +. . .+  nc 
t-  ng  <  N-1 ,  w  =  ny  + 


>  1. 
ng  + 
* 


from  PI  to  P2  lead  to 
from  PI  to  P3  lead  to 
from  P2  to  PI  lead  to 
from  P3  to  P4  lead  to 
from  P4  to  PI  lead  to 
from  P4  to  P5  lead  to 
from  P5  to  PI  lead  to  S28 
from  P6  to  P7  lead  to  * 
from  P7  to  P8  lead  to  * 
from  P8  to  P3  lead  to  * 
from  P9  to  P7  lead  to  * 


e  =  0, 
ng 


S28  n 


ng  =  N,  e  =  1 ,  n^  +  n2  + 
no  <  N-1 ,  w  =  n-7  +  no  + 


n3 
ng 


1  ■^•' 

ny  +  ng  +  ng  ^  N-i  ,  w  =  ny  -i-  ng 

moves  from  PI  to  P2  lead  to  * 

moves  from  PI  to  P3  lead  to  * 

moves  from  P2  to  PI  lead  to  S26 

moves  from  P3  to  P6  lead  to  * 

moves  from  P4  to  PI  lead  to  * 

moves  from  P4  to  P5  lead  to  * 

moves  from  P5  to  PI  lead  to  * 

moves  from  P6  to  P7  lead  to  *,  if  ny  +  n^ 

or  lead  to  S30,  if  ny  + 

moves  from  P7  to  P9  lead  to  * 

moves  from  P8  to  P3  lead  to  * 

moves  from  P9  to  P7  lead  to  * 


+  n- 


>  1. 


nc 


N-1 

=  N 


330  ny  +...+  nj^o  =  N,  e  =  1,  w  =  N 
moves  from  P7  to  P9  lead  to  * 
moves  from  P8  to  P3  lead  to  832 
moves  from  P9  to  PIO  lead  to  * 
moves  from  PIO  to  PIO  lead  to  * 

532  n-j  +  nr  +  ny  +  ng  +  ng  +  nj^Q  =  N,  e  =  1,  n2  +  n^ 
ny  +...+  nj^Q  <  N-1,  w  =  ny  +...+  nj^Q 
moves  from  P3  to  P6  lead  to  * 


moves  from  P6  to  P7  lead  tc 


if  n- 


or  lead  to  S30, 
moves  from  P7  to  P9  lead  to  * 
moves  from  P8  to  P3  lead  to  * 
moves  from  P9  to  PIO  lead  to  * 
moves  from  PIO  to  PIO  lead  to  * 


^6 


>    1 


>   1 


if  no  =  n^  =  0 


Table  5.2 
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It  is  easy  to  see  that  if  Hj^q  =  N  happens  at  moment  t'  then  it  is 
true  for  all  t  >  t' .   Hence  (Al)  can  be  expressed  in  the  form: 

-  there  is  no  cycle  satisfying  the  FDP  such  that  the  conditions  e 
=  1  and  n^g  <  N  are  held  for  all  states  on  cycle. 

(A2)  can  be  expressed  in  the  form: 

-  for  any  2  states  Sj  and  S2  if  nj^Q  >  1  in  s^^  and  e  =  0  in  S2  then 
there  is  no  way  from  Si  to  s-j  in  A. 

To  verify  (Al)  we  use  the  procedure  FIND  SCC  for  p(s)  =  {e  =  1  & 
"10  ^  ^"^  J  •  We  do  not  represent  here  the  graph  r»p  obtained  after 
Step  1  and  go  directly  to  step  2  which  gives  the  following  2  SCCs  L  in 

r«p. 

First  SCC  in  r«p  (L=L1): 

S28»p  nj^  +.  . .+  ng  =  N,  e  =  1,  n-]^  +  n2  +  n^  +  n^  +  ny  +  nn  >  1, 

ny  +  ng  +  ng  <  N-1 ,  n^g  <  N-1 ,  w  =  n-y  +  ng  +  ng 

moves  from  PI  to  P3  lead  to  * 

moves  from  P3  to  P6  lead  to  * 

moves  from  P4  to  PI  lead  to  * 

moves  from  P4  to  P5  lead  to  * 

moves  from  P5  to  PI  lead  to  * 

moves  from  P6  to  P7  lead  to  * ,  if  ny  +  ng  +  ng  <  N-1 

moves  from  P7  to  P9  lead  to  * 

Second  SCC  in  r»p  (L=L2): 

S30»p  ny  +...+  n^g  =  N,  n^g  <  N-1,  e  =  1,  w  =  N 
moves  from  P7  to  P9  lead  to  * 
moves  from  P8  to  P3  lead  to  S32«p 
moves  from  P9  to  PIO  lead  to  * 
moves  from  PIO  to  PIO  lead  to  * 

S32»p  n^  +  n^  +  ny  +  ng  +  ng  +  njg  =  N,  e  =  1 ,  n3  +  n^^  >  1, 
ny  +.  .  .+  nj^g  <  N-1,  w  =  ny  +.  .  .+  n^g 
moves  from  P3  to  P6  lead  to  * 
moves  from  P6  to  P7  lead  to  *,  if  n^  +  n^  >  1 

or  lead  to  S30»p,  if  n^  =  n^  =  0 
moves  from  P7  to  P9  lead  to  * 
moves  from  P8  to  P3  lead  to  * 
moves  from  P9  to  PIO  lead  to  * 
moves  from  PIG  to  PIG  lead  to  * 
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Ll   gives   the  graph  P4  ->  PI  ->  P3  ->  P6  ->  P7  ->  P9,  PA  ->  P5  -> 

PI  in  G^,  which  has  no  SCC. 

L2  gives  the  graph  P8  ->  P3  ->  P6  ->  P7  ->  P9  ->  PIO  ->  PIO,  which 
in  turn  on  step  3  of  the  procedure  gives  the  only  loop  M,  of  the  form 
PIO  ->  PIO.  This  loop  can  only  carry  the  following  two  classes  of  SCCs 
in  A»p: 

S30»p  ny  +...+  nj^o  =  ^>   ^10  <  N-1 ,  e  =  1,  w  =  N 
moves  from  PIO  to  PIO  lead  to  * 


S32»p  no  +  n^  +  ny  +  ng  +  ng  +  n-^n   =N,  e  =  l,n2+n^>l, 
ny  +. . .+  nig  <  N-1 ,  w  =  ny  +. . .+  nj^Q 
moves  from  PIO  to  PIO  lead  to  * 


But  none  of  these  SCCs  satisfies  the  FDP,  because  there  is  always 
a  position  which  contains  a  positive  number  of  "sleeping"  PEs .  This 
proves  (Al). 

(A2)   can  be  seen  from  the  RSD  in  the  following  way.  The  property 

n^Q  >   1  can  be  true  only  for  some  states  in  S30  and  S32.  But  neither 

of  these  sets  has  a  state  with  e  =  0  and  all  transitions  from  a  state 
in  S30  U  S32  yield  a  state  in  S30  U  S32. 

So  the  program  satisfies  (A2). 


6.  Readers  and  writers. 


The  simplest  variant  of   the  program  from   [5]   is  taken  here. 
Initially  the  counter  sem  is  equal  to  N. 
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Pl:   {...} 
COMMENT  distributor 

P2:   go  to  P3  (to  read)  or  go  to  P8  (to  write) 
COMMENT  reader 

P3:   if(sem  <  0)  then  go  to  * 

P4:   if(  REPADD  (sem,-l)  >   0)  then  go  to  P6 

P5:   REPADD  (sem,l) 
go  to  P3 

COMMENT  critical  section,  protected  by  sem 

P6:   {...} 

P7:   REPADD  (sem,  1) 
go  to  PI 

COMMENT  writer 

PS:   if (sem  <  N-1 )  then  go  to  * 

P9:   if(  REPADD  (sem,  -N)  >  0)  then  go  to  Pll 

PIG:   REPADD  (sem,N) 
go  to  PS 

COMMENT  critical  section,  protected  by  sem 

Pll:   {...  } 

P12:   REPADD  (sem,  N) 
go  to  PI 


We  want  to  verify  the  following  assertions  about  the  program: 

(Al)  No  more  than  1  writer  can  write,  i.e.   stay  in  Pll. 

(A2)  While  the  writer  is  writing  no  readers  can  read,  i.e.   stay 


in  P6. 
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(A3)  While  any  positive  number  of  readers  are  reading  no  one 
writer  can  write. 

(A4)  For  any  time  t  such  that  no  PEs  are  in  the  critical  section 
at  time  t,  there  exists  a  time  t'>t  such  that  some  PE  is  in  the 
critical  section  at  time  t' . 

We  can  rewrite  this  program  in  the  form  of  the  following  abstract 
program. 


PI 
P2 
P3 

P4 


go  to  P2  or  to  P6 

if(sem  <  0)  then  go  to  * 

if(  REPADD  (sem,-l)  >  0)  then  go  to  P5 

REPADD  (sem,l) 


go  to  P2 

P5:  REPADD  (sem,  1) 
go  to  PI 

P6:   if (sem  <  N-1 )  then  go  to  * 

P7:   if(  REPADD  (sem,  -N)  >  0)  then  go  to  P9 

P8:   REPADD  (sem,N) 
go  to  P6 

P9:   REPADD  (sem,  N) 
go  to  PI 


The  REACHABILITY  TREE,   INCLUSIONS   and   RSD  are   represented   in 
tables  6.1,  6.2. 
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REACHABILITY  TREE 

51  n^  =  N,  sem  =  N 

moves  from  PI  to  P2  lead  to  S2 

52  rii  +  no  =  N,  sem  =  N 

moves  from  P2  to  P3  lead  to  S3 

53  Hi  +  n2  +  n^  =  N,  sem  =  N 

moves  from  PI  to  P6  lead  to  SA 

54  nj^  +  m  +  113  +  n^  =  N,  sem  =  N 

moves  from  P6  to  P7  lead  to  S5 

55  n,  +  no  +  n2  +  n^  +  Uy  =  N,  sem  =  N 

moves  from  P3  to  P5  lead  to  S6 
moves  from  P7  to  ?9  lead  to  Sll 

56  n^^  +  n2  +  n^  +  n^  +  n^  +  ny  =  N, 
nr  >  1,  sem  =  N  -  n^ 

moves  from  P7  to  P8  lead  to  S7 

57  n,  +  no  +  no  +  nc  +  n^  +  ny  +  no  =  N, 
n^  >  1 ,  ng  >  1 ,  sem  =Nx(l-ng)-n5 

moves  from  P5  to  PI  lead  to  S8 

58  iij^  +  n2  +  n^  +  n5  +  n^  +  ny  +  ng  =  N, 

iij^  +  n^  >  1 ,  ng  >  1 ,  sem  =  Nx(l-ng)-n5 
moves  from  PI  to  P2  lead  to  S9 
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S9  n,  +  no  +  no  +  nc  +  n^  +  ny  +  ng  =  N, 
Hj^  +  n2  +  nr  >  1 ,  ng  >  1, 
sem  =  N  X  (1  -  ng)  -  n5 

moves  from  PI  to  P6  lead  to  SIO 

510  Tij^   +  n2  +  n^  +  n^  +  n^  +  ny   +  rig   =  N, 
n,    +  n7   +  nr    +  n^    >   1,    ng    >   1, 

sem  =  Nx(l-ng)-nr 

511  n,  +  n2  +  no  +  n^  +  ny  +  ng  =  N, 
ng  =  1 ,  sem  =  0 

moves  from  P3  to  P4  lead  to  S12 

512  n^^  +...+  n^  +  n^  +  ny  +  ng  =  N, 
ng  =  1 ,  sem  =  -n^ 

moves  from  P7  to  P8  lead  to  S13 

513  n^  +...+  n^  +  n^  +...+  ng  =  N, 
ng  =  1 ,  sem  =  ~N  x  ng  -  n^ 

moves  from  P9  to  PI  lead  to  S14,  if  ng  =  0,  and  n^  >  1 
or  lead  to  S23,  if  ng  >  1 

514  n^^  +.  . .+  n^  +  ng,  +  ny  =  N 
n^  >  1,  n^  >  1, 

sem  =  N  -  n^ 
moves  from  PI  to  P2  lead  to  S15 

515  n^  +...+  n^  "*"  '^6  "^  '^7  ~  ^ 
n^  >  1,  n^  +  n2  >  1, 

sem  =  N  -  n^ 
moves  from  PI  to  P6  lead  to  S16 


S16  n^^  +. . .+  n^  +  n^  +  ny  =  N 


n^  >  1,  n^  +  n2  +  n^  >  1, 
sem  =  N  -  n^ 
moves  from  P2  to  P3  lead  to  S17 


S17  nj^  +. . .+  n^  +  n^  +  ny  =  N 

n^  >  1,  n^  +  n2  +  n3  +  n^  >  1, 
sem  =  N  -  n^ 
moves  from  P3  to  P5  lead  to  SI! 
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518  n^  +...+  ny  =  N 

n^  >  1 ,  Hi  +  n2  +  n-j  +  n^  +  n^  >   I 
sem  =  N  -  n^  -  n^ 
moves  from  P7  to  P8  lead  to  S19 

519  n^  +. . .+  ng  =  N,  ng  >  1, 

n^  >  I ,  n-|^  +  n2  +  n^  +  n^  +  n^  >  1, 

sem  =  N  X  (1  -  ng)  -  n^  -  n5 

moves  from  P3  to  P4  lead  to  S20 

moves  from  P4  to  P^.  lead  to  S22 

520  n^  +...+  ng  =  N,  ng  >   1, 
n4  >   2, 

sem  =  N  X   (l   -  Uq)   -  n^   -  nc^ 
moves  from  P4  to  P2  lead  to  S21 

521  n,  +. . .+  ng  =  N,  ng  >  1, 
"2  +  n^  >  2, 

sem  =  N  X  (1  -  ng)  -  n^  -  n^ 

522  n,  +...+  ng  =  N,  ng  >  1, 

n2  >  1,  n^^  +  n2  +  n^  +  nc^.+   n^^  >  2 
sem  =  N  x(l  -ng)  -n^-n^ 

523  nj^  +. . .+  n^  +  ngi  +  ny  +  ng  =  N,  ng  >  1, 

ni  >  1, 

sem  =Nx(l-ng)-n4 
moves  from  PI  to  P2  lead  to  S24 

524  n^  +. . .+  n^  +  n^  +  ny  +  ng  =  N,  ng  >  1, 

n^  +  n2  >  1 , 
sem  =Nx(l-ng)-n4 
moves  from  PI  to  P6  lead  to  S25 

525  n,  +...+  n^  +  ng^  +  ny  +  ng  =  N,  ng  >  1, 
ni  +  n2  +  n£  >  1 , 

sem  =  N  x(l-ng)  -n^ 


Table  6.1 
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INCLUSIONS 

SI  C"'C   S5; 
S7  C---C  SIO; 
Sll  C  S12  C  S13; 
S14  C'«'C  S18; 
S20  C  S21; 
S23  C  S24  C  S25 

REACHABILITY  SET  DESCRIPTIt)N 

55  n,  +  n2  +  no  +  rir  +  ny  =  N,  sem  =  N 

moves  from  PI  to  P2  lead  to  * 
moves  from  PI  to  P6  lead  to  * 
moves  from  P2  to  P3  lead  to  * 
moves  from  P3  to  P5  lead  to  S6 
moves  from  P6  to  P7  lead  to  * 
moves  from  P7  to  P9  lead  to  S13 

56  nj^   +  n2  +  n^  +  Tic   +  ngi   +  ny   =  N, 
n^    >  I ,    sem  =  N  -  rir 

moves  from  PI  to  P2  lead  to  * 

moves  from  PI  to  P6  lead  to  * 

moves  from  P2  to  P3  lead  to  * 

moves  from  P3  to  P5  lead  to  * 

moves  from  P5  to  PI  lead  to  *,  if  rir  >  1 

or  lead  to  S5,  if  nc  =  0 

moves  from  P7  to  P8  lead  to  SIO 

SIO  n-]^  +  n2  +  n^  +  n^  +  n^  +  ny  +  ng  =  N, 
n-|^  +  n2  +  nr  +  n^  >  1 ,  ng  >  1, 
sem  =  N  X  (1  -  ng)  -  114  -  n^ 

moves  from  PI  to  P2  lead  to  * 

moves  from  PI  to  P6  lead  to  * 

moves  from  P2  to  P2  lead  to  * 

moves  from  P3  to  P4  lead  to  S19 

moves  from  P5  to  PI  lead  to  * 

moves  from  P6  to  P6  lead  to  * 

moves  from  P7  to  P8  lead  to  * 

moves  from  PS  to  P6  lead  to  *,  if  ng  >  1 

or  lead  to  S6,  if  ng  =  0 ,  nc  >  1 

or  lead  to  S5,  if  nr  =  ng  =  0 
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S13  n-,    +,..+  n^  +  ngi  +. . .+  ng  =  N, 
ng  =  1 ,  sem  =  -N  x  ng  -  n^ 

moves  from  PI  to  P2  lead  t'>  * 

moves  from  PI  to  P6  lead  to  * 

moves  from  P2  to  P2  lead  to  * 

moves  from  P3  to  P4  lead  to  S1.9 

moves  from  P4  to  P2  lead  f^  * 

moves  from  P6  to  P6  lead  t'^  * 

moves  from  P7  to  P8  lead  to  * 

moves  from  P8  to  P6  lead  to  * 

moves  from  P9  to  PI  lead  to  S18,  if  ng  =  0,  and  n^  >  1 

or  lead  to  S25,  if  ng  >  1 

or  lead  to  S5,  if  ng  =  n^  =  0 

SIB  n^  +. . .+  ny  =  N 

n^  >  1,  n^  +  n2  +  n3  +  n^  +  n^  >  1 
sem  =  N  -  n^  -  nc 

moves  from  PI  to  P2  lead  to  * 

moves  from  PI  to  P6  lead  to  * 

moves  from  P2  to  P3  lead  to  * 

moves  from  P3  to  P5  lead  to  * 

moves  from  P4  to  P2  lead  to  *,  if  n/  >  1 

or  lead  to  S6,  if  n,  =  0,  nc  >  1 

or  lead  to  S5,  if  n^  =  nc  =  0 

moves  from  P5  to  PI  lead  to  * 

moves  from  P6  to  P6  lead  to  * 

S19  n^  +...+  ng  =  N,  ng  >  1, 

n^  >  1 ,  nji  +  n2  +  n3  +  n^  +  n^  ^  1» 

sem  =  N  X  (1  -  ng)  -  n4  -  n5 

moves  from  PI  to  P2  lead  to  * 

moves  from  PI  to  P6  lead  to  * 

moves  from  P2  to  P2  lead  to  * 

moves  from  P3  to  P4  lead  to  S21 

moves  from  P4  to  P2  lead  to  S22 

moves  from  P5  to  PI  lead  to  * 

moves  from  P6  to  P6  lead  to  * 

moves  from  P7  to  P8  lead  to  * 

moves  from  P8  to  P6  lead  to  *,  if  ng  >  1 

or  lead  to  S18,  if  no  =  0 
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521  n^^  +...+  ng  =  N,  ng  >   1, 
n2  +  n^  >  2, 
sem  =Nx(l-ng)-n^-n5 

moves  from  PI  to  P2  lead  to  * 

moves  from  PI  to  P6  lead  to  *■ 

moves  from  P2  to  P2  lead  to  *- 

moves  from  P3  to  P4  lead  to  *•' 

moves  from  P4  to  P2  lead  to  *■ 

moves  from  P5  to  PI  lead  to  * 

moves  from  P6  to  P6  lead  to  *~ 

moves  from  P7  to  P8  lead  to  * 

moves  from  P8  to  P6  lead  to  *,  if  tig  >   I 

or  lead  to  S18,  if  ng  =  0,  n^  >  1 

or  lead  to  S6,  if  ng  =  n^  =  0,  n^  >  1 

or  lead  to  S5,  if  n^  =  n^  =  ng  =  0 

522  n^  +. . .+  ng  =  N,  ng  >   1, 

^2  **  1»  "1  ■•■  ^2  +  n^  +  n^  +  ng,  >  2 
sem  =Nx(l-ng)-n4-n5 

moves  from  PI  to  P2  lead  to  * 

moves  from  PI  to  P6  lead  to  * 

moves  from  P2  to  P2  lead  to  * 

moves  from  P3  to  P4  lead  to  S21 

moves  from  P4  to  P2  lead  to  * 

moves  from  P5  to  PI  lead  to  * 

moves  from  P6  to  P6  lead  to  * 

moves  from  P7  to  P8  lead  to  * 

moves  from  P8  to  P6  lead  to  *,  if  rig  >  1 

or  lead  to  S18,  if  ng  =  0,  n^  >  1 

or  lead  to  S6,  if  ng  =  n^  =  0,  n^  >  1 

or  lead  to  S5,  if  n^  =  nc  =  ng  =  0 

S25  n^^  +...+  n^  +  n^  +  ny  +  ng  =  N,  ng  >  1 , 
n^  +  n2  +  n^  >  1, 
sem  =N  x(l  -ng)  -n^ 

moves  from  PI  to  P2  lead  to  * 

moves  from  PI  to  P6  lead  to  * 

moves  from  P2  to  P2  lead  to  * 

moves  from  P3  to  P4  lead  to  * 

moves  from  P4  to  P2  lead  to  * 

moves  from  P5  to  PI  lead  to  * 

moves  from  P6  to  P6  lead  to  * 

moves  from  P7  to  P8  lead  to  * 

moves  from  P8  to  P6  lead  to  *,  if  ng  >  1 

or  lead  to  S18,  if  ng  =  0,  n^  >  1 

or  lead  to  S5,  if  n^  =  ng  =  0 


Table  6.2 
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Since  properties  (Al),  (A2),  (A3)  together  can  be  expressed  as 

-  ng  <  1,  nc  X  ng  =  0  for  all  states, 

they  follow  immediately  frcai  the  description. 


(A4)  can  be  expressed  in  the  form: 

-  there  are  no  cycles  satisfying  the  FDP  such  that  n^  =  ng  =  0 
along  all  the  states  on  the  cycle. 

We  apply  the  procedure  FIND  SCC  for  p(s)  =  |nc  =  ng  =  O}  and  find 
out  that  there  are  only  7  SCCs  L  in  r»p.  These  correspond  to  the 
single  nodes  S5»p,  S10»p,  S18«p,  S19»p,  S21«p,  S22«p,  S25»p,  looping  to 
themselves.  It  is  easy  to  verify  that  only  the  following  two  loops  can 
carry  moves  in  the  SCC  under  question.  These  moves  are 

moves  from  P2  to  P2  lead  to  * 

moves  from  P6  to  P6  lead  to  * 

Now   (A4)   follows   from   the   fact  that  none  of  the  sets  S10»p,  S18«p, 
S19»p,  S21»p,  S22«p,  S25»p  has  a  state,  satisfying  condition  n2  +  n^ 
N   that  would  have   been   the   only  possibility  to  arrange  the  cycle, 
satisfying  the  FDP. 


7.  Conclusion. 


To  build  a  compact  RSD  we  reduce  a  REACHABILITY  TREE  that  in  turn 
must  be  compact.  The  first  "producer-consumer"  program  presented  in 
section  5  (which  we  henceforth  refer  to  as  PC)  does  not  allow  a  compact 
REACHABILITY  TREE   for   the   obvious   reason   that  it  has  an  unbounded 
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counter:  For  any  fixed  number  of  PEs ,  N,  any  REACHABILITY  TREE  for  PC 
is  infinite.  In  this  section  we  present  a  less  trivial  example  that 
can  not  possess  any  compact  REACHABILITY  TREE  independent  of  N.  However 
unlike  the  PC  for  any  given  N  the  REACHABILITY  TREE  is  finite.  This 
example  possesses  the  RSD  consisting  of  2  sets  as  given  in  table  7.1. 
This  program  consists  of  the  following  code  with  initially  sem  =  N-1 . 

PI:   if  (REPADD  (sem,-l)  >   0)  then  go  to  P3 

P2:   REPADD  (sem.l) 
go  to  PI 

P3:   REPADD  (sem,l) 
go  to  PI 


Note  that  this  code  is  equivalent  to  the  incorrect  PV-semaphore 
program  of  section  1;  the  only  difference  between  these  two  programs  is 
the  initial  value  of  sem.  If  the  initial  value  of  sem  is  independent 
of  N,  then  the  program  possesses  a  compact  REACHABILITY  TREE. 


REACHABILITY  SET  DESCRIPTION 

51  n,  +  no  +  n3  =  N,  n^  >  2,  sem  =  n^  -  1 

moves  from  PI  to  P3  lead  to  *,  if  n-,  >  2 

or  lead  to  S2,  if  n,  =  1 

moves  from  P2  to  PI  lead  to  * 

moves  from  P3  to  PI  lead  to  * 

52  nj^  +  no  +  no  =  N,  nj^  <  1,  n|^  +  n2  >  1,  sem  =  nj^  -  1 

moves  from  PI  to  P2  lead  to  * 

moves  from  P2  to  PI  lead  to  *,  if  n^^  <  1 

or  lead  to  51,  if  n^^  >  2 

moves  from  P3  to  PI  lead  to  *,  if  n^  <  1 

or  lead  to  SI,  if  n,  >   1 

Table  7.1 

Strictly  speaking  we  can  not  prove  that  the  program  can  not  have 
compact  REACHABILITY  TREE  because  we  have  not  defined  a  REACHABILITY 
TREE.  (Such  a  definition  exceeds  the  range  of  the  paper).  A  brief 
outline  of  the  proof  follows: 
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Imagine  a  parallel  computer  executing  our  abstract  programs,  which 
consist  of  (I)  end  (E)  statements  as  defined  in  section  2.  We  suppose 
that  each  operation  (including  simultaneous  Replace-f  operations)  is 
effected  in  a  single  cycle. 

Let  us  call  a  program  compact  with  respect  to  the  given  initial 
state  Sq,  if  there  is  a  time  Tq  independent  on  N  such  that  any  state  in 
R(sq)  can  be  reached  from  Sn  within  time  Tq. 

It  can  be  shown  that  if  a  program  has  a  compact  REACHABILITY  TREE 
then  it  is  compact.  It  can  also  be  shown  that  the  program  given  above 
is  not  compact  because  the  state  {n-^  =  0,  n2  =  N,  n^  =  0;  sem  =  -1  }  can 
not  be  reached  from  the  initial  state  (nj^  =  N,  n2  =  n^  =  0;  sem  =  N-1  } 
in  time  asymptotically  less  than  J2(N). 
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